Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
04-29-2023 10:02 AM
Hi,
I am facing problem when I import the 3rd party generated ssl cert into firewall, for example:
I generated the certificate locally on firewall and named it as mycert and when I exported it, it was named automatically to cert-mycert.csr
after generating the 3rd party key and downloaded locally to my PC, the name of the new certs are on default random naming.
usually I get 3 files: (.pem, .csr) file types.
when I import them, the certificate does not seem to change from pending state.
can anyone help please? I know that there is some kind of specific naming process but dont know what exactly to do and on which cert file?
04-29-2023 10:22 AM
When you import cert in you need to give it same name as your CSR is in the firewall. For example "mycert" as you mentioned in your case.
05-01-2023 04:02 PM
@SamerSaleem wrote:
so not the name that was saved on my local drive which is exported to "cert-mycert.csr" automatically?
When you first created the certificate signing request (CSR), you clicked the "Generate" button and then entered a name under "Certificate Name:". When you import the signed certificate click the "Import" button and then enter the same name under "Certificate Name:", and then select whatever filename you have on your desktop (the filename doesn't matter, just the certificate object name). The PaloAlto will automatically match the signed certificate to the previously generate CSR by the same name.
The signed certificate need to be a base64-encoded PEM file (either .pem or .cer typically), not a "Windows binary" PEM file. You can open it in notepad and you should see something like:
-----BEGIN CERTIFICATE-----
un098n3rimc09n8mricn93imc9imdcin39j83r03c3d
9ijc9crm93mc9r93m9c8m3mc39mr3f9mr09r0c9irm8
c0948j984j0f0984098j03f08r3mf098j3rmf9843jr
m498j40m984jf048jf0984jrf984kjr9fk4r09fk===
-----END CERTIFICATE-----
04-29-2023 10:22 AM
When you import cert in you need to give it same name as your CSR is in the firewall. For example "mycert" as you mentioned in your case.
04-29-2023 11:04 AM
so not the name that was saved on my local drive which is exported to "cert-mycert.csr" automatically?
05-01-2023 04:02 PM
@SamerSaleem wrote:
so not the name that was saved on my local drive which is exported to "cert-mycert.csr" automatically?
When you first created the certificate signing request (CSR), you clicked the "Generate" button and then entered a name under "Certificate Name:". When you import the signed certificate click the "Import" button and then enter the same name under "Certificate Name:", and then select whatever filename you have on your desktop (the filename doesn't matter, just the certificate object name). The PaloAlto will automatically match the signed certificate to the previously generate CSR by the same name.
The signed certificate need to be a base64-encoded PEM file (either .pem or .cer typically), not a "Windows binary" PEM file. You can open it in notepad and you should see something like:
-----BEGIN CERTIFICATE-----
un098n3rimc09n8mricn93imc9imdcin39j83r03c3d
9ijc9crm93mc9r93m9c8m3mc39mr3f9mr09r0c9irm8
c0948j984j0f0984098j03f08r3mf098j3rmf9843jr
m498j40m984jf048jf0984jrf984kjr9fk4r09fk===
-----END CERTIFICATE-----
05-01-2023 10:01 PM
How to import SSl certificate for my website www.emiratesevisaonline.com
05-02-2023 11:21 AM
How did you generate a SSL certificate?
07-27-2023 09:05 AM
Importing the signed certificate with the same name as the CSR does not work. It results in a mismatched public/private key error message. Only when importing the signed certificate with the name "cert_" prefixed to the name will it work. For example, when exporting the CSR, Panorama adds "cert_" to the front of the name. So the filename is cert_MyCert.csr. When importing the signed certificate, if you use 'MyCert' it fails. If you use 'cert_MyCert' it succeeds, but the Key checkbox remains unchecked and the CSR remains in 'pending' state.
07-28-2023 11:15 AM
The Key checkbox remains unchecked and the CSR remains pending because you did not import the signed certificate correctly. You must import the signed certificate with the certificate object name exactly the same as the CSR you generated. The file name of the CSR and signed certificate does not matter.
You generate a CSR to be signed by clicking the "Generate" button at the bottom of the Device->CertificateManagement->Certificates screen and then fill out the relevant information:
Certificate Name: MyCert
Common Name: myserver.example.com
Signed By: External Authority (CSR)
....
When you click the "Generate" button in the Generate Certificate window the output CSR will, by default, be named "cert_MyCert.csr". You can rename the file to anything you want when saving/before submitting to your certificate authority for signing. The content of the CSR matters, not the filename.
After your certificate authority has returned your signed certificate you need to import it to match the CSR previously generated. They may give you a file named "cert_MyCert.cer" or it may be completely different like "myserver_20230715_signed.cer". Again the file name doesn't matter. You click the Import button at the bottom of the Certificates screen and enter the Certificate Name exactly as you did when generating the CSR:
Certificate Name: MyCert
Certificate File: myserver_20230715_signed.cer
File format: Base64 Encoded Certificate (PEM)
...
The PaloAlto will now attempt to match the signed certificate to the previously generated "MyCert" CSR object.
1) If you have imported the signed certificate with a different Certificate Name than the CSR your generated (and it hasn't matched/has no private key), delete the certificate and reimport with the same object name as the CSR. Don't delete the CSR object as you can't recover that unless you have previously exported it with the private key.
2) If your imported signed certificate has a key mismatch with the CSR, then either the signed certificate is not from the CSR or the file has been corrupted (or the signing authority tried to change certificate fields). Make sure you are importing a PEM file (ASCII base64-encoded) and your certificate authority has not sent you a DER file (Windows binary-encoded). Also make sure you did not create multiple CSRs and you are trying to import a signed certificate against the wrong CSR (i.e. you signed the wrong one).
3) Also note: If you are signing your CSR with a private certificate authority (i.e. your own internal corporate certificate infrastructure), you need to import the certificate authority chain before importing the signed certificate (if your CA provides a chain in the signed certificate this may not be necessary). Once the CSR is signed it will appear under the certificate chain.
See the KnowledgeBase for creating a CSR and importing the signed certificate:
https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClSx
07-30-2023 03:00 PM
Thank you for this detailed response. Should the CSR be generated from the local firewall or from Panorama? We received an intermediate and primary (device) certificate. Is it necessary to import them as a chained certificate (https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm) or can they be imported independently? That is, select the orange 'pending' CSR, import the intermediate certificate, and then select the orange 'pending' CSR again and import the primary (device) certificate with the same name as the CSR?
08-01-2023 09:14 AM - edited 08-01-2023 09:18 AM
I do not have Panorama, and as such I always generated CSRs on the local firewall, but it is my understanding you can also do it from Panorama (I suspect its Panorama instructing the local firewall to generate the cert and then downloading the CSR).
If the certificate is signed by a well known CA (i.e. Digicert Global Root G2) the CA certificate is likely already loaded under Device->CertificateManagement->Certificates->DefaultTrustedCertificateAuthorities. You don't need to separately load the parts of a chained certificate (sometimes known as a PK12 file), you can just import the chain directly against the CSR and the PaloAlto will automatically add the rest as needed.
See the KnowledgeBase for importing chained certificate (it references and is the same steps as the KB for importing a signed certificate above):
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkoCAC
If you have signed the certificate with your own private CA, and a complete chained certificate was not provided, then you will need to import the private root CA (and private intermediate CA if so signed) before importing signed certificate against the CSR.
08-01-2023 09:27 AM
@Adrian_Jensen wrote:
I do not have Panorama, and as such I always generated CSRs on the local firewall, but it is my understanding you can also do it from Panorama (I suspect its Panorama instructing the local firewall to generate the cert and then downloading the CSR).
From what I have seen, Panorama generates the private key and pushes it to the firewall as part of the template. And likewise, it will push the signed cert to the firewall. Doesn't matter if you push private key / CSR to the firewall before importing the signed cert or after.
The certs/keys are like any other template settings...just that they happen to be a few hundred characters of randomness instead of other typical settings that are short legible strings.
06-23-2024 11:23 AM
Since the thread was quite useful, i have a similar requirement wherein I already have my internal corporate Root CA and Itermediate CA in my Palo alto firewall certificate store imported. Also other Ipsec vpns with cert-based authentication is running fine.
Now, to estalblish a new ipsec s2s vpn with a new branch office with cert-based auth, i generated the csr and received a signed certificate with pkcs7 having root and intermediate cert in it. However, when i import it into Palo alto, it is asking for key which i did not received from the PKI admin. Do i need to ask the key file as well to import? Also, the cert file received is pkcs7 and palo alto requires pkcs12 will it work if i import the pkcs7 file only??
Also, if i import just the signed certificate with no chain will it work ? since i believe it should because as i mentioned earlier, the Palo alto already has Root CA and Intermediate CA installed from the earlier vpn setup.
Pls guide.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
